To manage cyber risk effectively, financial institutions (FIs) must be able to measure it. This report considers why quantifying cyber risk is increasingly important to FIs as cyber attacks become more frequent and complex, and outlines Chartis’s new and unique approach to cyber risk quantification.

The report also provides a detailed illustration of the method in action. The results from that test, run on a hypothetical bank with $250bn in notional assets divided between four divisions – retail banking, investment banking, transactional banking and retail brokerage – were telling. Even assuming reasonably effective mitigation of threats, our model calculated a total Value at Risk (VaR) of $234m for the bank. The VaR numbers for the retail brokerage ($48m), the investment banking division ($45m), and the transactional banking division ($12m) were each dwarfed by the VaR for the retail banking division, at $129m. This highlights how exposure to risk can vary significantly according to the network structure in place in a particular division.